tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: use target task's context in apparmor_getprocattr()

apparmor_getprocattr() incorrectly calls task_ctx(current) instead of
task_ctx(task) when retrieving prev and exec attributes, returning the
caller's labels rather than the target's.

Fix by passing task to task_ctx().

The issue can be reproduced when a process with an onexec transition
(e.g., configured by a container runtime) is inspected via
/proc/<pid>/attr/apparmor/exec. The reader's own value is returned
instead of the target's.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Fixes: 3b529a7600d8 ("apparmor: move task domain change info to task security")
Cc: stable@vger.kernel.org
Co-developed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
Co-developed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Cengiz Can and committed by
John Johansen 4afc6170 6de23f81

+7 -9
+7 -9
security/apparmor/lsm.c
··· 822 822 char **value) 823 823 { 824 824 int error = -ENOENT; 825 - /* released below */ 826 - const struct cred *cred = get_task_cred(task); 827 - struct aa_task_ctx *ctx = task_ctx(current); 828 825 struct aa_label *label = NULL; 829 826 827 + rcu_read_lock(); 830 828 if (strcmp(name, "current") == 0) 831 - label = aa_get_newest_label(cred_label(cred)); 832 - else if (strcmp(name, "prev") == 0 && ctx->previous) 833 - label = aa_get_newest_label(ctx->previous); 834 - else if (strcmp(name, "exec") == 0 && ctx->onexec) 835 - label = aa_get_newest_label(ctx->onexec); 829 + label = aa_get_newest_cred_label(__task_cred(task)); 830 + else if (strcmp(name, "prev") == 0 && task_ctx(task)->previous) 831 + label = aa_get_newest_label(task_ctx(task)->previous); 832 + else if (strcmp(name, "exec") == 0 && task_ctx(task)->onexec) 833 + label = aa_get_newest_label(task_ctx(task)->onexec); 836 834 else 837 835 error = -EINVAL; 836 + rcu_read_unlock(); 838 837 839 838 if (label) 840 839 error = aa_getprocattr(label, value, true); 841 840 842 841 aa_put_label(label); 843 - put_cred(cred); 844 842 845 843 return error; 846 844 }